Richard Stallman July 2013
In this section we will cover what is perhaps the most frightening part of the Microsoft program to take control over our computers. It is a new program called UEFI. It can be more accurately thought of as the Microsoft Kill Switch. Microsoft has required that this sinister “feature” be added to all Windows 8 and 10 computers.
Microsoft has created many obstacles to prevent you from adding to Linux
As I continued my research, a much bigger problem emerged. Sadly, Microsoft does not want people to use Linux. Microsoft seems to be doing everything they can to keep their corporate monopoly. They want the money that will come from forcing XP users to pay $500 each to change to Windows 10. There are 600 million Windows XP users in the world today and Microsoft wants all 600 million to spend $500 each to “upgrade” to Windows 10 and Office 365. That is $600 billion dollars that Microsoft stands to lose if folks ever learn that they can get a much more stable and reliable word processing system for free.
The Windows operating system is the key to maintaining the Microsoft computer monopoly. So Microsoft has placed all kinds of malicious roadblocks, obstacles and traps to prevent people from using Linux.
What is a Start Up Program?
To understand what the problem with UEFI and Secure Boot is, it is helpful to know a little bit about how computers start up. When you push the POWER ON button on your computer, this initiates a Start Up program. Historically, the universal startup program was called BIOS which stands for Basic Input Output System. This Start Up program is installed by the computer manufacturer. BIOS determines what program boots next and in what order. Typically, the next program to boot is the Windows Boot Manager. This starts Windows which then can be used to start Windows based programs such as MS Office. There are free open source versions of all of these things as shown below:
BIOS versus Core Boot
BIOS is a very old and stable system that allows you to have four or more operating systems installed into four or more “partitions” on your computer. Because BIOS is not a free open source program, and because it slowed down the performance of Linux, a group of Linux programmers spent several years developing an extremely fast, safe and free Startup program called Core Boot. While Core Boot is free and could easily be installed on all computers, manufacturers have continued to use BIOS until Windows 8 came out in 2012.
EFI turns into a monster called UEFI
Also during the past 12 years while Core Boot was being developed, a commercial Start Up program called UEFI was being developed. UEFI stands for Unified Extensible Firmware Interface. UEFI is based on a program called EFI which was an attempted by Intel to update BIOS.
EFI did not have the Secure Boot “feature” and neither did UEFI until about 2008. UEFI has been criticized for not solving any of the problems of BIOS. Like BIOS, UEFI requires two separate drivers – one for the firmware and one for the operating system. This makes UEFI slow and difficult to work with. But the biggest complaint about UEFI is that it placed control for programs in the hands of computer manufacturers such as HP and software companies such as Microsoft rather than in the hands of the computer owner (you).
In fact, for computer users, Secure Boot is like putting on a pair of handcuffs. This does not stop hackers from attacking your computer – because hackers are experts at removing handcuffs. But it does make it harder for you to work with your computer – because now you need to learn how to remove the Secure Boot handcuffs before you can install Linux.
One of the new “features” of Windows 8 and Windows 10 is something called “Secure Boot.” While it does very little to protect your computer, it does make it much more difficult to add another operating system, such as Linux to your computer. Beginning with UEFI version 2.2, UEFI added a new feature called Secure Boot. This uses a special key, which is nothing more than a digital image, to be activated before any operating system, or any other program can be loaded into the computer.
There are several absurd things about this feature. First, Secure Boot is not a very secure system. This is because digital images are easily copied. Recall that fake digital images were used by Flame to attack Microsoft Security Updates. We are now all well aware that this digital signature system does not work. Second, generic keys are already in existence to bypass the system. It seems that everyone has been given a key to your computer except you! Third, Secure Boot adds huge costs to computers because manufacturers have to pay private companies to have Secure Boot and UEFI installed. For all of these reasons, Core Boot is a much less expensive and more effective security system. Core boot lets you control the final configuration. This is not only the most secure system – it is also the easiest system for the end user... which is you.
Despite all of these issues, and despite the fact that Secure Boot is an optional feature of UEFI, Microsoft has required all computer manufacturers to use UEFI with Secure Boot on all of their Windows 8 and 10 computers. If Microsoft was really concerned about speed or security, they would have insisted on using Core Boot.
So the insistence on UEFI with Secure Boot seems to have only one purpose – to make it difficult to impossible to install Linux on your computer – in order to maintain the Microsoft Windows monopoly (and/or to help the NSA). To make matters worse, Microsoft has insisted that manufacturers use a special key controlled by Microsoft – rather than a key controlled by the manufacturer. This gives Microsoft total control over your computer – not just the backdoor and the front door – but also the Startup program. This is a very frightening development.
One of the worst of these monopolistic predatory practices is forcing computer manufacturers to sign exclusive agreements to prevent manufacturers from loading a free Linux operating system into computers which have the Windows operating system. Because many users find it difficult to add an operating system to their computer, a far better option would be to have it come pre-installed on all computers so that all users would have to do to activate it is to click on a button. The question is why computer manufacturers have not already added Linux to the computers they sell. After all, Linux is free and can easily be installed in computers by the manufacturer. They could then sell their computers for a hundred dollars cheaper with a fully functional operating system. This would also give their customers a choice. If they also want the Microsoft Windows operating system, they could pay an extra hundred dollars for it. But they would not have to buy Windows just to get the computer they want. Microsoft prevents this from happening by forcing manufacturers to sign restrictive licensing agreements.
Can’t we just turn off Secure Boot?
You can – sort of. You can switch from Secure Boot mode to legacy mode. But this is not the same as going back to the old BIOS Start Up program that starts all Windows XP and Windows 7 computers. You still have the UEFI program controlling whether your Windows 8 or 10 computer starts and the kill switch is still there. There are reports of folks switching to the UEFI Legacy mode only to have Microsoft switch the mode back to secure boot at the next Microsoft Update. And there is no way to close this backdoor to your computer because as we now know, Internet Explorer is tied into the Windows operating system. Finally, the UEFI code is ten times bigger than the BIOS code. What do you think all of that extra code is all about?
But isn’t UEFI some nice program that was created by a non-profit group?
Since UEFI with Secure Boot is capable of destroying the entire world economy, it is worth understanding how this nuclear weapon came into being. Microsoft claims to be an innocent bystander in the creation of Secure Boot. But the facts tell otherwise. According to the UEFI official story, around the turn of the century, Intel wanted to update the BIOS Startup program to help their chips start up faster. So they used an “open source” operating system called BSD to create a new Startup program called EFI (Extensible Firmware Interface). There are several things fishy about this official story. First, BSD stands for the Berkeley Software Distribution. It was created in the early 1990’s at the University of California at Berkeley and is a free open source operating system. Fast forward to 2000. Intel wants a better Startup program. Does it make any sense that a hardware company like Intel would try to write any software program – much less a program that controls the Startup of every computer? This is like Microsoft deciding that they were going to start making their own computer chips!
Besides if Intel had really wanted a modern fast Startup program, they could have simply have used the free open source Core Boot program that was being developed by the Linux community. In addition, EFI was not that fast or that smart. It was slower than Core Boot because it used the same complex driver process that BIOS used. At any rate, according to the official story, in 2005 Intel gave up on the EFI project and donated the EFI code to the UEFI Forum – a non-profit group that suddenly appeared like magic out of the middle of nowhere whose mission it was to create a modern Startup program. Naturally, Intel and Microsoft were on the Board of this new nonprofit organization.
|The UEFI verification or signing mechanism is identical to the Microsoft Windows signing mechanism – a process that has already been attacked and compromised by the Flame virus.
In 2006, UEFI made version 1.0 which was not much different than EFI. But it was important enough for Bill Gates to give a Key Note Speech about UEFI:
|“These are changes across the board, in terms of how hardware and software work together. If we think about boot, we're finally moving away from the old BIOS to this unified extensible firmware interface and that gives us new flexibility and capability." Bill Gates WINHEC 2006 Keynote Speech
UEFI version 1.0 in 2006 was not that different from BIOS. In particular, it did not include secure boot. Neither did version 2.1 which was released on January 7, 2007. So what the heck was Bill Gates talking about in his 2006 speech? Could it be that Bill knew something completely different was in the works? Beginning in 2008, just a few months after Microsoft joined the NSA PRISM program, strange things began to happen. The biggest change was with version 2.2. With version 2.2, the purpose began to change, the tools began to change and even the code began to change. Suddenly instead of being merely an update to BIOS, UEFI became a nuclear weapon with the addition of Secure Boot. The UEFI manual grew to be nearly 2,200 pages.
Who could have done that? Pay no attention to that man behind the curtain (who also happens to be the richest man in the world). Then UEFI version 2.3 was released in April 2011 – just 6 months before the “developer” release of Windows 8 at a Microsoft Developer conference in September 2011. The Secure Boot contracts and certificates were not released until 2012. This seemed to be an attempt to hide the real nature of Secure Boot until the release of Windows 8.
Evidence that Microsoft created UEFI and Secure Boot
Microsoft has denied having been involved in creating the UEFI and Secure Boot Twin monsters. However, there are four convincing facts which refute their claim. First, UEFI file names use back slashes for separators. Microsoft is the only company in the world which uses backslashes in their file names. All other programmers use forward slashes.
Example of Unix Forward Slash File Naming:
Example of the same file with Microsoft Backward Slash File Naming:
The open source community uses forward slashes to define file names. This is because Linux and BSD are both based on Unix and Unix uses Forward slashes for file names and backward slashes for the “escape” function. But there is one company in the world that is arrogant enough to write their own computer languages which uses backward slashes for file names. The company who uses backward slashes for file names is Microsoft. And the UEFI file names? Well, they all now use backward slashes. This is very odd because the “official” story claims that UEFI was based on BSD and BSD uses forward slashes!
Security experts are mad at Microsoft for insisting on programming with backward slashes as it creates a huge security risk. This is because all URLs use forward slashes – including web pages which protect sensitive business data. One example of this danger occurred in 2004. Active Server Pages (ASP) is a Microsoft programming language. In 2004, it was discovered that ASP has a huge security flaw associated with back slashed file names.
|“By using a backslash instead of a forward slash you could access secure ASP.NET resources that normally required authentication. So, if accessing www.example.net/secure/private.aspx is supposed to be a protected web page requiring authentication, anyone who wants to could still access the file by entering the URL as www.example.net/secure\private.aspx. Even if you set NTFS permissions to block anonymous users, ASP.NET still allowed access.” Mark Burnett, Hacking the Code and Stealing the Network
It is clear that in writing UEFI with back slashed file names, Microsoft has not learned its lesson about what a dangerous practice this is. They have now tied insecure back slashed file names to the most dangerous computer weapon ever produced. This is why I maintain that UEFI and Secure Boot should be avoided at all costs. There is nothing safe about either of these “features.” Computer manufacturers should replace UEFI and Secure Boot with Core Boot – which of course uses the standard and secure forward slash file names. In any case, the fact that UEFI has been changed to back slashed file names is clear evidence that the two latest versions of UEFI were actually written by Microsoft programmers. It is also clear that Secure Boot was written by Microsoft and added to UEFI at the very last minute. It is also clear that Secure Boot was written specifically for Windows 8. Thus, Microsoft’s finger prints are all over the crime scene. And make no doubt about it – UEFI with Secure Boot is a crime against humanity. It doesn’t take Sherlock Holmes to figure out where UEFI really came from or what the real purpose of Windows 8 is.
Second, the UEFI security signing mechanism is identical to the Microsoft Windows security signing. I do not mean similar. I mean IDENTICAL. Many sections of UEFI code even begins with the word “win.”
Third, the versions of UEFI since Microsoft joined this project are completely different from the version of UEFI which existed before Microsoft joined the project. As just one example, the original versions of UEFI did not have secure boot and made no mention of anything like secure boot in their plans.
Fourth, before Microsoft joined the project, the source code for EFI was open and publicly available. After Microsoft joined, a cloak of secrecy covered the project. No one knows for sure exactly what is in the bloated UEFI code – which is ten times bigger than either the BIOS code or the Core Boot code.
The Secure Boot Kill Switch is different from the Windows “Apps” Kill Switch that has been discussed in the media
A Kill Switch is a program which can remotely delete software and edit code without the user’s permission. There are at least two known Kill Switches on the Windows operating system – these are the Secure Boot Kill Switch and the Apps Kill Switch. There has been some confusion in the media about which Microsoft Kill Switch is the most dangerous. I want to make it clear that I have no problem with the new Windows Apps Kill Switch which is capable of destroying any programs you purchase through the Microsoft Apps Store. Anyone who buys an app through the Microsoft Apps store deserves to have their programs nuked without warning. The Apps Kill Switch does not kill your entire computer and does not prevent you from installing an alternate operating system. In fact, all it takes is a comparison of the silly programs at the Microsoft Apps store to the 40,000 free programs at the Linux store to get people rushing out to download Linux.
We have manager to get a picture of the Windows Secure Boot Kill Switch:
You can see that the Windows Secure Boot Kill Switch comes with four safety locks to prevent accidental discharge. This is very similar to the safety mechanisms for any other nuclear device. Before activating the kill switch, the staff member (with super key security clearance) would first have to disable all four safety locks. They then would turn the kill switch to the ON position before activating with the big red button affectionately known as the Doomsday Machine. Naturally Microsoft has promised to only use this device against pirated copies of their software. Members of the open source community have complained that UEFI and Secure Boot will prevent users from adding Linux.
Microsoft claims that that Secure Boot is needed for safety reasons. However, if Microsoft was even remotely concerned about safety, they would not leave the back door open to all Microsoft operating systems. Microsoft had already created problems for “dual booting” a Linux operating system with Windows 7. We will discuss these problems further in the section on dual booting. But it is apparent that Microsoft is doing everything in its power to maintain its monopoly.
Microsoft Windows has since 1997 had known malicious features... features to spy on the user and restrict what the user can do, which are in fact digital handcuffs, and it has known back door security problems whereby Microsoft can change anything about your program remotely. However, these attempts at censorship may backfire for Microsoft. As users become more aware that Microsoft is trying to limit their ability to use open source operating systems this may actually increase the interest in using them. Users will realize that the way to take back control over their future is to first take back control of their computer.
Secure Boot adds a new verb to the English Language: Brick
Thanks to Secure Boot, a new verb has been added to the English Language. It is brick – as in “Secure Boot just bricked my computer.” The verb comes from the noun “brick” which is a heavy useless block. Sadly, if you try to do anything Secure Boot does not like, it might shut down your computer and prevent it from turning on again – turning your computer into a heavy useless block aka a brick. There are now numerous reports of UEFI and Secure Boot bricking computers that attempt to install Linux.
Personal Computer User Freedom Matrix
Richard Stallman has outlined four essential freedoms. The following table shows how each of the three Startup programs stack up on these four freedoms.
Microsoft's solution to the bricked computer problem is to buy a new official key from Microsoft. Perhaps this is the new Microsoft business model.
In a later chapter, we will show you how to turn of secure boot. There are many reports that some computer manufacturers simply turn off Linux operating systems. These include Lenovo, Toshiba and Samsung. But even turning off Secure Boot and Microsoft Update is just a temporary fix – since Microsoft still retains control over every computer with Windows /UEFI/Secure Boot installed on it. The only real solution is to not buy a computer with Windows installed on it and demand that computer manufacturers use Core Boot instead of UEFI/Secure Boot. Even though Windows is the greatest attack on our freedom since the East India Corporation came up with the Stamp Act – a move that started the American Revolution – do not expect much help from our government. A better solution is to file and run for office at the next election.
In the meantime, the best thing you can do to take back control of your computer is finish reading this book and learn how to install and use Linux and Libre Office on your own computer. We will review the best available solutions to all of these Windows 8 problems in later chapters. The reason this book is so long is not because Linux is hard to learn. Rather it is because of all the Microsoft traps.
The Secure Boot Trap is challenged in Court
On March 26, 2013, an 8,000 member group in Spain called Hispalinux filed a complaint against Microsoft protesting that the new “Secure Boot” feature in Windows 8 was simply another attempt to maintain the Microsoft Monopoly by making it more difficult for folks to add Linux to their computers.
|“UEFI Secure Boot with Microsoft keys is "designed to block non-Microsoft software. This is not a side-effect. It is its main purpose and is spelled out as such in Microsoft's own documentation... One of the options allowed by UEFI is the digital signature of drivers and applications, permitting complete control over the start-up system. Microsoft, as the sole owner of the private key, which matches up with the public key held in the memory of computers running Windows 8, is the only party that can authorize (sign) the software components in UEFI, the only party that can sign the boot of the operating system, and the only party that can sign the communications between the operating system and UEFI. To attain this goal, Microsoft has to use all its influence and power in the market to force computer and component manufacturers to accept its monopoly in the key generation system." Hispalinux Lead Attorney Jose Lancho
In June 2013, the American Civil Liberties Union filed a lawsuit against the NSA for violations of the 1st and 4th Amendments to the US Constitution. Hopefully, this book will help more people understand the connection between Microsoft and the NSA and help them take steps to free their computers from this attack on their privacy.
Everything to gain and nothing to lose
It is important to understand that you do not need to give up your current operating system or word processing programs to install open source tools on your computer. You can have Linux and Windows open at the same time and switch back and forth between them just like switching back and forth between your web browser and a Word document. You can even use open source tools like Libre Office to work with, save and send Word documents. And you can use the Linux operating system to run Windows programs. In fact, nearly anything that you currently do using expensive Microsoft programs you can do better, easier and safer using free open source tools.
We will show you how to safely install and use open source tools so you can test them side by side with whatever you are currently using -and decide for yourself whether you want to jump permanently to open source. Open source tools put you in control of your computer and your life. No more patches, no more upgrades, no more hassles! In other words, you have nothing to lose and everything to gain by learning more about the many benefits of open source tools. Once you give it a try, you will probably wonder why you waited so long. That is how we all feel the first time we are exposed to open source programs.
Many organizations have seen the writing on the wall and already made the move from Windows to Linux.
Now that we have a better understanding of the dangers of the UEFI startup program, in the next chapter we will look more closely at the real cost of the Microsoft Monopoly.